IBM Cloud SAML Integration Guide

Suggest an edit

Prerequisites

  • Administrator access to an IBM Cloud account (Account Owner or Administrator role for IAM Identity Service)
  • A SplitSecure Identity Provider created and approved
  • An IBM Cloud Pay-As-You-Go or Subscription account
  • A separate browser or browser profile with SplitSecure configured (for testing)

IBM Cloud Configuration

1 Navigate to Identity Providers

  1. Log in to the IBM Cloud console
  2. Go to ManageAccess (IAM)Identity providers
  3. Click Add
  4. Select IBM Cloud SAML

2 Configure Service Provider Details

  1. Name your IBM Cloud service provider configuration
    • Choose a descriptive name (e.g., SplitSecure-Production)
    • This helps identify the configuration if you have multiple IdP connections
  2. Review the Advanced settings and adjust if necessary
  3. Download the SP metadata for SplitSecure, by clicking Download metadata file to get the XML file

SplitSecure Configuration

1 Configure SplitSecure with IBM Cloud Details

  1. In SplitSecure, navigate to Secure AccountsCreate Account
  2. Select IBM Cloud
  3. Enter a name for the account (e.g., IBM Cloud Secure Account)
  4. Select your Identity Provider
  5. Upload the IBM Cloud metadata XML file downloaded in Part 1
  6. Provide your login URL which can be found at https://cloud.ibm.com/iam/identity-providers under Login URL next to your IdP
  7. Click Create Account

2 Download SplitSecure IdP Metadata

  1. In SplitSecure, navigate to Secure Accounts → SAML2 Identity Providers[Your IdP]Details
  2. Click Download Metadata

Complete IBM Cloud Configuration

1 Upload IdP Metadata

Return to IBM Cloud and continue the setup:

  1. Upload IdP metadata
  1. Click Next

2 Verify SAML Connection

  1. Click Verify
  2. You will be redirected to SplitSecure’s authentication page
  3. Sign in using your SplitSecure/corporate credentials
  4. If successful, a confirmation message appears

3 Configure Assertion Mapping

Should show “All required claims found and mapped”

  1. Click Next

4 Test the Connection

  1. Click Test
  2. Sign in with your SplitSecure credentials on the IdP login page
  3. Verify the connection is successful
  4. Click Next

5 Complete Setup

  1. Click Create to finalize the configuration
  2. Note your IdP URL for user access (e.g., https://cloud.ibm.com/authorize/<your-identifier>)

User Access Configuration

Option A: Dynamic User Onboarding (Recommended)

Users are automatically added to your IBM Cloud account on first login.

  1. In Identity providers, edit your IdP configuration
  2. Enable Dynamic onboarding
  3. Configure access using Trusted Profiles or Access Group dynamic rules

Option B: Static User Onboarding

Users must exist in IBM Cloud before they can log in.

  1. Go to ManageAccess (IAM)Users
  2. Invite users with email addresses matching their SplitSecure identity

Configure Access Groups with Dynamic Rules (Optional)

To automatically assign permissions based on SAML attributes:

  1. Go to ManageAccess (IAM)Access groups
  2. Create or select an access group
  3. Click Dynamic rulesAdd
  4. Configure:
    • Authentication method: Users federated by IBM Cloud SAML
    • Identity provider: Select your SplitSecure IdP
    • Conditions: Define rules based on SAML attributes

Test Authentication

1 Test Authentication (SP-Initiated)

  1. Navigate to your IdP URL (e.g., https://cloud.ibm.com/authorize/<your-identifier>)
  2. You should be redirected to SplitSecure for authentication
  3. Fill out the form
  4. After successful authentication, you should be logged into IBM Cloud

Troubleshooting

Issue Possible Cause Solution
“User not authorized” User doesn’t exist or lacks permissions Verify user is onboarded and has appropriate access group membership
SAML assertion error Attribute mapping mismatch Verify required attributes (username, email, firstName, lastName) are in the assertion
Certificate error Expired or incorrectly formatted certificate Re-download metadata from SplitSecure
Verification timeout Network/firewall issue Ensure SplitSecure SSO URL is accessible from IBM Cloud
Attributes not mapped Custom attribute names in IdP Update assertion mapping in IBM Cloud to match your IdP’s attribute names

External Resources